I am using proxy servers like kproxy in combination with https (https://www.kproxy.com) for anonymous browsing.I would like to know if my ISP or any intruder can intercept to view my requests/responses (both the URL which i am accessing and the request/response content)

In general i understand that ssl is used for the server identification and for encryption. But is this the case everytime or sometimes it is used only for server identification and not for encryption.

I would like to know if my ISP or any intruder can intercept to view my requests/responses

They can intercept your requests and responses but they cannot read them as they are encrypted.

Quote:

But is this the case everytime or sometimes it is used only for server identification and not for encryption.

This depends on a number of factors. Normally an SSL certificate would have an attribute called Key Usage which will state something like "Signing" and "Key Encipherment", this tells me what the certificate can be used for. The server identification is determined by comparing the CN in the Subject attribute against the URL.

You actual encrypted connection handled via a handshake, it is entirely possible for a NULL cipher to be used. This setting is determined byt eh browser asking the server what ciphers it supports and then using one.

Is i like likely that an HTTPS connection is not encrypted, no but it is technically possible to do.

I wouldn't rely on an encrypted connection to an anonymiser to protect you though. There are two methods that could be used to look at what you are doing:

Thank you very much Matt for your detailed explanation. I missed out one aspect in my original question.
1) From the answer, I could guess that using an anonymiser without SSL is not going to help the user with anonymity and privacy (from the ISP for example). If using an anonymiser website without SSL encryption is not going to give someone any privacy or anonymity, whats the purpose/benefit in using an anonymiser website without SSL ?
2) Can i use a tool like wireshark to check if my current SSL session in the browser is encrypted or not?

matt_s wrote:

I have to ask what person uses an anonymous proxy. Someone who doesn't want anyone knowing what they are doing e.g. something dodgy?

I would say that it is incorrect to assume that a person using anonymiser would be doing it for illegal purposes. Everyone likes privacy. I do not want anybody else to know more than what i wish to let them know what I am doing with my computer, internet and inside my bedroom.

If using an anonymiser website without SSL encryption is not going to give someone any privacy or anonymity, whats the purpose/benefit in using an anonymiser website without SSL ?

Absolutely correct, its like robing a bank with gloves but no balaclava.

Quote:

Can i use a tool like wireshark to check if my current SSL session in the browser is encrypted or not?

You would use wireshark, tcpdump. I know that in Firefox you can see what encryption algorithm and key size is being used.

Quote:

I would say that it is incorrect to assume that a person using anonymiser would be doing it for illegal purposes. Everyone likes privacy. I do not want anybody else to know more than what i wish to let them know what I am doing with my computer, internet and inside my bedroom.

Imagine you got in a taxi and the taxi driver demanded in doing illegal u-turns, speeding and handbrake maneuvers during your fare, he claimed that he might be being followed? Would you get in this cab? Would you report this person to the police? I understand that everyone needs their privacy but there is such a thing as suspicious amount of privacy.

Absolutely correct, its like robing a bank with gloves but no balaclava.

Matt, Thanks a lot for making it clear. An enlightening example

matt_s wrote:

You would use wireshark, tcpdump. I know that in Firefox you can see what encryption algorithm and key size is being used.

Thanks again.

matt_s wrote:

Imagine you got in a taxi and the taxi driver demanded in doing illegal u-turns, speeding and handbrake maneuvers during your fare, he claimed that he might be being followed? Would you get in this cab? Would you report this person to the police? I understand that everyone needs their privacy but there is such a thing as suspicious amount of privacy.

When i see someone do something illegal and if i feel that its serious I am definitely going to do something about it. Also I will complain against the driver just because he causes inconvenience to the public and not because I suspect any ulterior motives behind his actions. Am sure using anonymisor doesnot cause any inconvenience to anybody directly so long as it is not used for evil purposes. I would not suspect a snailmail envelop to contain something fishy or illegal just because it is sealed properly. Privacy is a very normal and genuine expectation. And I will not compromise on that or be lenient just because i am using internet. I believe this is a widely accepted view. I would like to point to a similar view expressed by Tim Bernars Lee, the inventor of WWW in one of his interviews to BBC http://news.bbc.co.uk/1/hi/technology/7299875.stm If anonymisors are so evil why have a seperate forum for it?

I would not suspect a snailmail envelop to contain something fishy or illegal just because it is sealed properly.

A thoughtful analogy and I see your point with this.

I expect an amount of privacy however I don't feel the need to go out of my way to get privacy. As a security professional, I know that 9 out of 10 (I have not taken a survey to get these stats by the way, just more like a guess ) if a person is using an anonymous proxy its because they are doing something they shouldn't either because of a law or a contract e.g. employment contract states no downloading porn.

I can however think of scenarios where an anonymous proxy might be used legitimately such as looking at what your web competitor is doing without arousing suspicion.

Another example of good guys using anonymous proxy would be people in countries with oppressive governments. They need privacy and anonymous proxy to ensure that they are not prosecuted based on what they read on the web.

Anonymizers sucks, you should know about it. kproxy stores a suspicious cookie, see http://whoer.net/ext via kproxy.

So install any system (Windows XP, Linux,..) in VirtualBox, VMWare, Parallels. Configure local DNS servers for this box, setup language for system, use VPN + socks via Proxifier (or SocksCap, FreeCap,..), turn off Java and plugins for browser. And it will be more secure.

in fact, no free proxy can give you a really high level of anonymity, it are not as reliable, as in need. And save user logs - is too dangerous to believe that such free services can give you absolute privacy in the internet